Your wi-fi will tell me where you live, where you work and where you travel

Moscow Wi-Fi

Many people know that your mobile devices distribute information about their previous connections. Most have no idea about this.

WiFi tests

To connect to already known networks that do not report their presence, all your mobile devices send test packets to find networks they know about. These packets can be intercepted when the phone turns on, or when it disconnects from the network. To do this, use the usual tools - airodump / tcpdump. Example:
')

# airodump-ng -w wifi-dump wlan0 # tcpdump -n -l -e -r wifi-dump.cap | grep 'Probe Request ([^)]' 

The output contains the time, device MAC address and network name. Example:

 16:32:26.628209 BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:50:ea:d6:aa:bb:cc Probe Request (SUBWAY) [1.0 2.0 5.5 11.0 Mbit] 

That is, the device 50: ea: d6: aa: bb: cc checked if the SUBWAY network is within reach.

So what's wrong with that?

Well, they emit these packets with the names of networks. Just think.

Note that most local networks have unique names. Of course, common names like SUBWAY will come across. But in many homes, networks are called either automatically created ProviderNameDEADBEEF names or specified users.

That is, the list of test packages contains approximately the following network names:

Home: ProviderNameXXXXX, StreetNameWifi, etc.
workers: Company, CompanyCity, etc.
unit: standard
hotels: different unique names, except for network hotels

So what if you intercept a test packet with the network name FooProvider123456, BlahProviderABCDEF, ACME-Fooville, CafeAwesome? Of course, you can guess what kind of person the provider and where he dines. But these are just names. No BSSID, coordinates and other things. Good. But not so much.

For there is WiGLE in the world!

WiGLE (abbreviation "engine for recording information about wireless networks") is a service operating under the motto "All networks that all people find." And most urban networks can really be found in this service. Moreover, the networks you are interested in can be found by searching for them by name. This is how you will get information about the networks you are interested in by their names.


Networks in the Kremlin

[approx. trans.] Large scale location of networks on the map is shown only for registered users.

You can make some assumptions. For example, if Wigle returns more than 3-4 networks with the same name, it is most likely some standard networks that can be ignored ... If only one of them is not close to the unique ones that we found. You can filter out those networks that were not visible for more than a year. Unless they are unique and have not moved in time - otherwise it will mean that the access point has been moved.

Collection of information

What information can we collect based on the list of networks? Let's look at the map that was created automatically from the Wigle search results. They were downloaded using the wiggle library and mapped:



I marked green in encrypted networks, open ones in red. Blue - unknowns. Each marker actually points to a particular building. You can immediately understand that the person most likely lives and works on the east coast of the United States (several markers), flies to Japan (a marker of an encrypted corporate network) and has a rest in Thailand (networks with the names of hotels), and also travels around New Zealand ( with the names of campgrounds). From the name of the corporate network, you can calculate the name of the company.

Here you will find social engineering, a search for a specific person, and a search for X employees ... And by the MAC address you can find out the model of the device - and thus find that person in the crowd.

Chef, what to do ??

On linux, you can configure the wpa_supplicant networks and specify scan_ssid = 0. So it is configured by default and this setting cancels the sending of trial packages. On other systems - I do not know.

Of course, you can delete saved networks, or turn off wi-fi when you don’t need it. But this is not a solution. You can call your home network a common name - but problems with the names of other networks that you use do not solve it.